banking trojans Archives

AppWizard

March 19, 2026

New Android malware hiding in streaming apps to spy on users’ personal notes

Researchers have discovered a sophisticated malware called Perseus that targets Android users by disguising itself within television streaming applications to steal sensitive information, including passwords and banking details. This malware, reported by ThreatFabric, primarily affects users in Turkey and Italy and is based on the leaked code of previous Android banking trojans, particularly Cerberus. Perseus masquerades as IPTV service apps, often downloaded from unofficial sources, and employs overlay attacks and keylogging techniques to capture user credentials. It specifically targets personal note-taking applications like Google Keep, Evernote, and Simple Notes to extract sensitive information stored within them. The malware landscape is evolving, with new threats like the banking trojan Herodotus and the Crocodilus variant, which can manipulate contact lists. Users are advised to be cautious when downloading applications from unofficial sources.

AppWizard

March 12, 2026

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Cybersecurity researchers have identified six new families of Android malware designed to extract sensitive data and facilitate financial fraud. Notable threats include: - PixRevolution: Targets Brazil's Pix payment platform, activates during Pix transfers, and uses real-time monitoring to intervene in transactions. Victims are tricked into installing malicious apps from counterfeit Google Play Store listings, which enable accessibility services for the malware to capture screens and overlay fake interfaces to reroute funds. - BeatBanker: Spreads through phishing attacks disguised as legitimate Google Play Store pages. It uses an inaudible audio loop for persistence, functions as a banking trojan, and includes a cryptocurrency miner. It creates deceptive overlays for platforms like Binance and Trust Wallet to divert funds and can monitor web browsers and execute remote commands. - TaxiSpy RAT: Exploits accessibility services to gather sensitive information such as SMS messages and call logs, targeting banking and cryptocurrency applications with overlays for credential theft. It employs advanced evasion techniques like native library encryption and real-time remote control. - Mirax: A private malware-as-a-service (MaaS) offering with a subscription model that provides tools for banking overlays and information gathering, including keystrokes and SMS. - Oblivion: Another Android RAT available at a competitive price, featuring capabilities to bypass security measures on various devices. - SURXRAT: Distributed through a Telegram-based MaaS ecosystem, it uses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure. Some samples incorporate a large language model component, indicating experimentation with AI by threat actors.

Tech Optimizer

February 11, 2026

Hackers Used Hugging Face to Distribute Android Banking Trojans

Cybersecurity researchers have identified a malware campaign that exploited Hugging Face's AI infrastructure to distribute Android banking trojans. The attackers used a deceptive app called TrustBastion, which tricked users into installing what appeared to be legitimate security software. Upon installation, the app redirected users to an encrypted endpoint that linked to Hugging Face repositories, allowing the malware to evade traditional security measures. The campaign generated new malware variants every 15 minutes, resulting in over 6,000 commits in about 29 days. It infected thousands of victims globally, particularly in regions with high smartphone banking usage but lower mobile security awareness. The operation is believed to be linked to an established cybercriminal group. Security experts warn that this incident highlights vulnerabilities in trusted platforms and calls for improved security measures, including behavioral analysis systems and verification of application authenticity. The incident has also sparked discussions about the need for enhanced security protocols for AI platforms.

AppWizard

January 26, 2026

Google to Make Sideloading Android Apps a High-Friction Process

Google is enhancing the safety of Android users by complicating the process of sideloading applications to reduce security threats. This change aims to inform users about the dangers of installing unverified applications, as criminals often exploit sideloading through social engineering tactics. Last year, Google introduced new developer verification requirements and a revised installation flow to highlight these risks. The new process is designed to resist coercion, ensuring users are not misled into bypassing safety measures. Advanced users will still have the option to sideload apps but through a more challenging process. Additionally, a survey by Bitdefender indicates that while smartphones are commonly used for transactions, many users lack an understanding of their vulnerabilities, leading to increased risks from cybercriminals.

Tech Optimizer

January 7, 2026

Fake error popups are spreading malware fast

A new cybercrime tool called ErrTraffic has emerged, simplifying malware dissemination through deceptive fake error messages that prompt users to address non-existent issues. The attacks begin on compromised websites, where users encounter distorted text and pop-ups suggesting a browser update or font installation. Clicking the provided button copies a command to the clipboard, instructing users to paste it into PowerShell, which triggers the malware infection. ErrTraffic automates this process, requiring minimal investment for attackers to access a control panel and scripted payload delivery. It operates via JavaScript injection, adapting to the user's operating system and browser to display tailored messages. This method effectively bypasses traditional malware defenses, achieving high conversion rates, with nearly 60% of users following through with the instructions. Infected devices may deploy infostealers or banking trojans, with the system designed to evade law enforcement by excluding certain regions. To mitigate risks, users should avoid copying commands from websites, trust built-in update notifications, use robust antivirus software, and regularly remove personal information from data broker sites.

Tech Optimizer

December 12, 2025

The digital impersonators: How cybercriminals hijack your brand to launch malvertising attacks

Brand trust is highly valued by consumers, leading cybercriminals to exploit it through malvertising, which embeds malicious code in legitimate ads. Malvertising can redirect users to phishing sites or download malware. Cybercriminals create fake ads that mimic trusted brands, targeting high-traffic moments and using real-time bidding to distribute these ads on reputable sites. The process involves setting up fake accounts, creating convincing ads, purchasing ad space, and delivering malware through exploit kits. The consequences include identity theft and financial loss for consumers, and reputational damage for brands. To protect against these threats, organizations should implement regular software updates, continuous employee training, protective tools, and consider partnering with managed service providers for enhanced security measures.

AppWizard

December 12, 2025

Before You Download a Minecraft APK, Read This

Minecraft is one of the most downloaded games in history, leading to a high demand for free or modded APK versions, particularly among Android users. Downloading unofficial Minecraft APKs is generally unsafe due to several risks: 1. High malware infection rates: Gaming APKs are significant conduits for Android malware, with Minecraft APKs frequently flagged. Reports indicate that game-related APK downloads account for 19% to 28% of Android trojan distribution cases. 2. Fake Minecraft APK sites often engage in phishing: Over 50% of such sites feature intrusive ads or misleading download buttons, and nearly 30% redirect users to phishing landing pages. 3. Modified APKs may request dangerous permissions: Many modified APKs ask for permissions that exceed basic functionality, such as access to SMS, device admin privileges, and the microphone and camera. 4. Lack of automatic updates creates long-term security vulnerabilities: APKs from external sites do not receive automatic updates, may contain known vulnerabilities, and can be replaced by more harmful versions. An example is given of a user named John, who downloaded a seemingly harmless APK that contained hidden spyware, leading to issues with his device and privacy. Many users download Minecraft APKs to avoid purchase costs, but the risks to their devices and data are significant.

AppWizard

December 8, 2025

Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Cybersecurity researchers have identified two new families of Android malware, FvncBot and SeedSnatcher, as well as an upgraded version of ClayRat. FvncBot is designed to target mobile banking users in Poland, masquerading as a security application from mBank. It is built from scratch and includes features such as keylogging, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC). It uses a crypting service called apk0day and communicates with a remote server at naleymilva.it.com. FvncBot requests accessibility permissions to operate with elevated privileges and can perform various malicious activities, including exfiltrating data and delivering overlays on targeted applications. SeedSnatcher is disguised as a cryptocurrency wallet app called Coin and is distributed via Telegram. It focuses on stealing cryptocurrency wallet seed phrases and can intercept SMS messages to capture two-factor authentication codes. It employs techniques like dynamic class loading and WebView content injection to evade detection and initially requests minimal permissions before escalating its access. The upgraded ClayRat malware now exploits accessibility services and default SMS permissions, allowing it to record keystrokes, capture screen content, and present deceptive overlays. It has been distributed through fraudulent phishing domains and dropper apps that impersonate legitimate services. The enhanced capabilities of ClayRat enable complete device takeovers and persistent overlays, making it a more significant threat than its previous version.

AppWizard

November 14, 2025

Google warns Android users: Don’t install these apps on your phone!

Google has warned Android users to be cautious when downloading applications from the Google Play Store, particularly those pretending to be VPN services, as they may contain malware. This warning is prompted by new age verification laws in the UK and Italy, which have led minors to seek VPN apps to bypass adult content restrictions, creating an opportunity for cybercriminals to offer fake VPN services. These fraudulent apps can deploy various types of malware, including info-stealers and banking trojans, compromising personal data and financial credentials. Google highlighted that threat actors use sophisticated advertising strategies to distribute these malicious applications, often impersonating trusted brands or using social engineering tactics. To protect against these threats, users are advised to download VPN services only from reputable sources, avoid apps promoted through ads, and pay attention to app permissions. Google Play Protect and a special VPN badge can help identify legitimate apps.

AppWizard

November 8, 2025

A dangerous rise in Android malware hits critical industries

A study by Zscaler has reported a significant increase in mobile and IoT security incidents, with 239 malicious Android applications on Google Play downloaded 42 million times. There has been a 67% year-over-year increase in Android malware transactions, primarily involving spyware, banking trojans, and adware, which now constitutes 69% of all malware detections. The energy sector has seen a 387% rise in attack attempts, while manufacturing and transportation industries face over 40% of IoT threats. IoT attacks are largely driven by malware families like Mirai, Mozi, and Gafgyt, which account for about 75% of malicious payloads, with routers being the primary targets. Mobile attacks are concentrated in a few countries, emphasizing the need for enhanced security measures.